CVE-2023-37914: Privilege escalation (PR)/RCE from account through Invitation subject/message
First published: Thu Aug 17 2023(Updated: )
### Impact Any user who can view `Invitation.WebHome` can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This can be reproduced with the following steps: 1. Open the invitation application (Invitation.WebHome). 1. Set the subject to `{{cache}}{{groovy}}new File("/tmp/exploit.txt").withWriter { out -> out.println("Attacked from invitation!"); }{{/groovy}}{{/cache}}` 1. Click "Preview" ### Patches The vulnerability has been patched on XWiki 14.4.8, 15.2-rc-1, and 14.10.6. ### Workarounds The vulnerability can be patched manually by applying the [patch](https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591) on `Invitation.InvitationCommon` and `Invitation.InvitationConfig`. ### References - https://jira.xwiki.org/browse/XWIKI-20421 - https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | >=2.5<14.4.8 | |
| Xwiki Xwiki | >=14.5.0<14.10.6 | |
| Xwiki Xwiki | >=15.0<15.2 | |
| maven/org.xwiki.platform:xwiki-platform-invitation-ui | >=15.0-rc-1<15.2-rc-1 | 15.2-rc-1 |
| maven/org.xwiki.platform:xwiki-platform-invitation-ui | >=14.5<14.10.6 | 14.10.6 |
| maven/org.xwiki.platform:xwiki-platform-invitation-ui | >=2.5-m-1<14.4.8 | 14.4.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf
- https://jira.xwiki.org/browse/XWIKI-20421
- https://nvd.nist.gov/vuln/detail/CVE-2023-37914
- https://github.com/advisories/GHSA-7954-6m9q-gpvf (Advisory)
Frequently Asked Questions
What is CVE-2023-37914?
CVE-2023-37914 is a vulnerability in XWiki Platform that allows any user who can view 'Invitation.WebHome' to execute arbitrary script macros and gain remote code execution access.
How severe is CVE-2023-37914?
CVE-2023-37914 has a severity rating of 9.9 (critical).
Which versions of XWiki Platform are affected by CVE-2023-37914?
Versions 2.5 to 14.4.8 and 14.5.0 to 14.10.6 of XWiki Platform are affected by CVE-2023-37914.
How can the CVE-2023-37914 vulnerability be exploited?
The CVE-2023-37914 vulnerability can be exploited by executing arbitrary script macros, including Groovy and Python macros, in the 'Invitation.WebHome' page.
What is the remedy for CVE-2023-37914?
The recommended remedy for CVE-2023-37914 is to upgrade to version 15.2-rc-1 of 'org.xwiki.platform:xwiki-platform-invitation-ui' package.
- collector/nvd-api
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-7954-6m9q-gpvf
- alias/CVE-2023-37914
- collector/github-advisory
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/weakness
- agent/title
- agent/severity
- agent/references
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- vendor/xwiki
- canonical/xwiki xwiki
- version/xwiki xwiki/2.5
- version/xwiki xwiki/14.5.0
- version/xwiki xwiki/15.0
- package-manager/maven